Now, while the attack vector might be simple, the actual malware itself is not. Once in the system Backoff creates a new folder called OracleJava in the AppData folder of the compromised account. It also installs an exe called JavaW.exe what is run to monitor memory and transmit that data (encrypted of course) over http as a post command to an established URI (right now it is /windebug/updcheck.php). Karl told us that the URI does change with different versions making the communication avenue hard to nail down. The URI itself also might be missed because it could look like Windows debug information to someone that does not know what they are looking for.
For persistence (the way it keeps on the system) Backoff has a rather sophisticated method. In addition to the normal registry entries in the run line, Backoff also has a method to reinstall itself in the installed components key in HKeyLoaclMachine. To make things a little more complicated backoff also runs in memory and checks to see if the exe is there, if it is not it will reinstall itself from an encrypted backup copy (named nsskrnl). These combined are pretty sophisticated when it comes to persistence mechanisms. The addition of an entry in the installed components key is a rather new and clever method.
Karl then walked us through an actual demo of Backoff in operation showing us both the end user and a simulated collection server. Backoff communicates back home roughly every 60 seconds. It will identify itself with some unique information so that the bad guys know which system is checking in and what version of Backoff is running. The coders included both the build name and the version number (in this case Last and 1.56). In this latest version the developers have added in keylogging functionality. This is most likely to capture any cards that have to be manually entered into the system. We watched as the login information was captured from memory only to show up on the server about a minute later. The same thing then followed when he swiped a test card, all of the data for the card was captured and faithfully transmitted to the demo server about a minute later.
All of this data is sent in an encrypted format over http port 80 (to the URI we mentioned before). For encryption the developers again show sophistication. They use a unique system identifier as part of the encryption key and then encapsulate that in RC4 to make sure nothing gets messed up or looks odd going out over port 80. Again the data transmission is a simple http post command to put the information on a remote server. In reality it is brilliant in both its complexity and simplicity, two words that normally do not go together.
Now for all of this sophistication backoff can be stopped through some simple steps. First, disable remote access software on any POS terminal. If this is not possible then the use of complex (and long) passwords in combination with two factor authentication will stop this attack before it even starts. POS systems are prime targets as they are often the least secure systems in an environment. Single shared accounts with simple passwords on unpatched and/or updated software make these prime targets. In many cases POS systems are still running Windows XP making them even more vulnerable.
Karl said (and we completely agree) that by simply following best practices to secure these systems you can mitigate most of these types of attacks. Intruders are looking to get the biggest bang for their buck, they are actively looking for open ports, simple passwords and unpatched systems. Sadly a majority of companies are not doing this. Karl showed us a report available on Trustwave’s new interactive Global Security Report that listed “Password1” as the most common password in use. The report also showed that roughly 54% of systems were able to be compromised through the use of a simple dictionary attack in minutes. This is a bad state of affairs.
In the end by taking simple steps to ensure the security of critical systems an organization can put themselves about the common broadcast attacks. You will still need a layered defense to help slow a determined targeted attack as well as staff that is trained to know what to look for and respond when needed. The big change will be the shift in thinking to look at POS and PMS (property management systems) as critical to an organization. Sadly that might take some time and another major malware to make happen.
Tell us what you think in our Forum